b"June 15, 2004\nReport No. 04-022\n\n\nFDIC\xe2\x80\x99s Information Technology\nExamination Program\n\n\n\n\n               AUDIT REPORT\n\x0c                                               TABLE OF CONTENTS\n\n\nBACKGROUND .......................................................................................................................... 2\n\nRESULTS OF AUDIT ................................................................................................................. 7\n\nQUALITY REVIEW PROCESS COULD IMPROVE INFORMATION TECHNOLOGY\nEXAMINATIONS ........................................................................................................................ 7\n          Type of Examination Performed .................................................................................... 8\n          Work Programs Used ...................................................................................................... 9\n          Evidence to Support the Report of Examination ........................................................ 11\n          Recommendation ............................................................................................................ 14\n\nCORPORATION COMMENTS AND OIG EVALUATION ................................................ 14\n\nAPPENDIX I:                OBJECTIVE, SCOPE, AND METHODOLOGY ................................... 16\n\nAPPENDIX II: SUMMARY TABLE OF RESULTS ........................................................ 19\n\nAPPENDIX III: UNIFORM RATING SYSTEM\n              FOR INFORMATION TECHNOLOGY ................................................. 20\n\nAPPENDIX IV: TECHNOLOGY PROFILE SCRIPT ...................................................... 22\n\nAPPENDIX V:                CORPORATION COMMENTS ............................................................... 24\n\nAPPENDIX VI:               MANAGEMENT RESPONSE TO RECOMMENDATIONS ............... 26\n\nTABLES\n\nTable 1: Required Work Program and IT Examination Report Treatment for Each\n         Technology Profile Category ...................................................................................... 5\nTable 2: Technology Profile Category of FDIC-Supervised Banks, December 31, 2003 ..... 6\nTable 3: Total Assets of FDIC-Supervised Banks by Type, December 31, 2003 .................. 6\nTable 4: Performance Measures Related to Supervision and Examination ....................... 18\nTable 5: Technology Profile Scoring Matrix .......................................................................... 22\n\x0c\x0cBACKGROUND\n\nAccording to the FDIC, no area of banking has changed as significantly during the past 10 years\nas the IT area.3 Insured institutions increasingly have made banking services and data available\nto customers through automated teller machines and transactional World Wide Web sites. The\ncomplexity of maintaining a secure IT environment undoubtedly will increase as banks continue\nto enhance technological capabilities and delivery channels. Also, attacks on IT systems are\nincreasing, and new vulnerabilities such as denial of service attacks4 are reported daily, which\nactually or could cause substantial financial losses. Other risks include (1) threats to security;\n(2) loss of availability, integrity, and confidentiality of information; and (3) regulatory\ncompliance with laws and regulations.\n\nThe FDIC\xe2\x80\x99s primary concern about the financial industry's use of IT is the potential risk of loss to\ndeposit insurance funds from high-cost bank failures if risks are not adequately managed and\ncontrolled. The FDIC principally addresses its concern by participating in government-wide\ninitiatives, issuing guidance, and conducting IT examinations.\n\nFDIC\xe2\x80\x99s Participation in Government-Wide Critical Infrastructure Protection Initiatives\n\nFDIC has actively participated in government-wide efforts aimed at protecting the nation\xe2\x80\x99s\ncyber-based and physical infrastructures and key resources. The December 17, 2003 Homeland\nSecurity Presidential Directive (Hspd-7) on Critical Infrastructure Identification, Prioritization,\nand Protection established a national policy for federal departments and agencies to identify and\nprioritize U.S. critical infrastructure and key resources and to protect them from terrorist attacks.\nRecognizing that each infrastructure sector possesses its own unique characteristics and\noperating models, Hspd-7 designated the U.S. Department of the Treasury as the Sector-Specific\nAgency for banking and finance.\n\nThe U.S. Department of the Treasury, Assistant Secretary for Financial Institutions, chairs the\ncommittee designated as the primary coordinating body for critical infrastructure initiatives\nrelating to the financial services industry and chairs the Financial and Banking Information\nInfrastructure Committee (FBIIC). The FBIIC\xe2\x80\x99s responsibilities include identifying the U.S.\nfinancial system\xe2\x80\x99s critical infrastructure assets, their locations, and potential vulnerabilities;\nprioritizing their importance; and assisting primary regulatory agencies in addressing\nvulnerabilities. The FBIIC is charged with coordinating federal and state financial regulatory\nefforts to improve the reliability and security of the U.S. financial system. The FDIC participates\nin FBIIC efforts to evaluate and protect the critical infrastructure of the U.S. banking and\nfinancial services industry and to assess the vulnerabilities and risks facing the industry.\n\n\n\n\n3\n  FDIC Outlook, fall 2003 edition, Chicago Regional Perspectives, \xe2\x80\x9cImproved Security Is Vital as Information\nTechnology Grows More Complex,\xe2\x80\x9d p.17. The FDIC Outlook is published quarterly by the FDIC\xe2\x80\x99s Division of\nInsurance and Research as an information resource on banking and economic issues for insured financial institutions\nand financial institution regulators.\n4\n  Denial of service attacks flood a computer network with data in order to deny access to legitimate users.\n\n\n\n\n                                                        2\n\x0cFDIC Guidance to Institutions\n\nThe FDIC distributes a majority of its guidance to bankers through Financial Institution Letters\n(FIL). The FILs generally announce new regulations and policies, new FDIC publications, and a\nvariety of other matters of principal interest to bank management. In some cases, the FILs\nexplain specific examination procedures to be performed by FDIC IT examiners. For example,\nFIL-118-2002, Information Technology Examination Procedures, dated October 9, 2002, and\neffective November 1, 2002, announced new FDIC IT examination procedures for assessing\ninformation technology risk. The FDIC has also issued several FILs covering areas such as e-\nbanking, IT audits, electronic fund transfers, business continuity planning, technology service\nproviders, and risk management.\n\nFDIC IT Examinations and Related Policies and Procedures\n\nUnder section 10(d) of the Federal Deposit Insurance Act (FDI Act), all FDIC-insured institutions\nare required to undergo on-site safety and soundness examinations by a federal regulator5 every\n12 or 18 months6 depending on asset size and CAMELS7 ratings. Safety and soundness\nexaminations are the primary means to identify weaknesses that may ultimately lead to institution\nfailure. Although not required under the FDI Act, the FDIC also conducts IT examinations\ndesigned to assess an institution\xe2\x80\x99s IT risks. The FDIC normally conducts IT examinations\nconcurrently with safety and soundness examinations.\n\nFFIEC\xe2\x80\x99s Uniform Rating System for Information Technology\n\nThe FFIEC\xe2\x80\x99s Task Force on Supervision has adopted the Uniform Rating System for Information\nTechnology (URSIT).8 The URSIT is an internal rating system used by federal and state\nregulators for assessing the safety and soundness of information technology in financial\ninstitutions and by service providers that furnish these services to financial institutions.\n\nURSIT ratings consist of a composite rating and four component ratings based on a risk\nevaluation of four critical components: Audit, Management, Development and Acquisition, and\nSupport and Delivery. The ratings are based on a scale of 1 through 5 in ascending order of\nsupervisory concern with 1 representing the highest rating and least degree of concern, and 5\nrepresenting the lowest rating and highest degree of concern. The URSIT is explained in more\ndetail in Appendix III.\n\n\n\n5\n  The four federal regulators are the FDIC, Federal Reserve Board, Office of the Comptroller of the Currency, and\nthe Office of Thrift Supervision.\n6\n  The FDI Act requires all FDIC-insured institutions to be examined on a 12-month cycle. The Act allows the\nexamination cycle to be extended to 18 months for institutions with assets of $250 million or less if other factors are\nmet \xe2\x80\x93 primarily that the institution is CAMELS rated 1 or 2 (see footnote 7), well managed, and well capitalized.\n7\n  CAMELS (Capital, Asset Quality, Management, Earnings, Liquidity, and Sensitivity to Market Risk are the rating\nfactors used by federal regulators in examining the safety and soundness of FDIC-insured institutions. A rating of\n1 through 5 is given, with 1 having the least regulatory concern and 5 having the greatest concern.\n8\n  The FFIEC recommended that the federal supervisory agencies implement the URSIT no later than April 1, 1999.\n\n\n\n\n                                                          3\n\x0cThe primary purpose of the rating system is to identify those entities whose condition or\nperformance of IT functions require special supervisory attention. This rating system assists\nexaminers in making an assessment of risk and compiling examination findings. However, the\nrating system does not drive the scope of an examination. Examiners should use the rating\nsystem to help evaluate the entity's overall risk exposure and risk management performance and\nto determine the degree of supervisory attention believed necessary to ensure that weaknesses are\naddressed and that risk is properly managed.\n\nFFIEC Examination Procedures\n\nIn 1996, the FFIEC issued its Information Systems (IS) Examination Handbook, an interagency\nguide to assist regulatory examiners in examining information systems operations in financial\ninstitutions and independent service bureaus. The handbook contains an overview of information\nsystems concepts, practices, examples of sound IS controls, and FFIEC examination work\nprograms. The handbook also covers regulatory policies of FFIEC member agencies for use in\nthe examination of information systems. The handbook is currently being updated and renamed\nthe FFIEC Information Technology (IT) Examination Handbook and is being reissued in a series\nof booklets that either introduce new topics or replace chapters of the 1996 handbook. The first\nbooklet on information security was issued January 29, 2003. Eventually, the 1996 handbook\nwill be retired.\n\nFDIC\xe2\x80\x99s Risk-Focused IT Examination Procedures\n\nOn November 1, 2002, the FDIC launched a new program for assessing IT risk at FDIC-\nsupervised financial institutions. The program incorporated a new philosophy for categorizing\ninstitutions' use of technology and exposure to technology risk and use of updated and more risk-\nfocused IT examination procedures. The FDIC developed two new work programs to accomplish\nthis:\n\n   \xe2\x80\xa2   The IT-MERIT (Maximum Efficiency, Risk-focused, Institution Targeted) Procedures\n       work program contains examination procedures used by examiners conducting technology\n       risk reviews at FDIC-supervised financial institutions with the least technology risk.\n\n   \xe2\x80\xa2   The IT General Work Program is used by examiners conducting technology risk reviews\n       at FDIC-supervised financial institutions with low to moderate technology risk. The IT\n       General Work Program consolidated several previously issued, technology-related work\n       programs into a single work program and eliminated redundant review areas to improve\n       examiner efficiency.\n\nExaminers use the existing FFIEC work programs for all financial institutions with greater\ntechnology risk and for institutions with complex or sophisticated technology systems.\n\n\n\n\n                                               4\n\x0cFDIC\xe2\x80\x99s new risk-focused approach to IT examinations begins with classifying the IT risk at\nfinancial institutions into one of four new IT examination categories. Table 1 shows the required\nwork programs and IT examination report treatments for each category. The new categories\ndescribe an institution\xe2\x80\x99s technology risk profile to address the different levels of risk posed by\nfinancial institutions through their use of IT. These new technology profile categories are\napplied to financial institutions through a standard methodology called the Technology Profile\nScript. Details on the Technology Profile Script and scoring matrix and definitions of category\ntypes are in Appendix IV.\n\nTable 1: Required Work Program and IT Examination Report\n         Treatment for Each Technology Profile Category\nTechnology\n  Profile     Technology                                     Report Treatment\n  Matrix        Profile            Required             Based on Technology Profile\nScore Range    Category        Work Program            Category and URSIT Rating\n                                                   Composite URSIT rating reported as\n    0-49         Type I     IT-MERIT Procedures part of the bank\xe2\x80\x99s safety and\n                                                   soundness report.\n                               IT General Work     \xc2\x83 If composite URSIT rating is 1 or 2:\n    0-49        Type II                              only the composite rating is reported\n                                   Program\n                                                     as part of the safety and soundness\n                               IT General Work       report.\n                            Program supplemented   \xc2\x83 If composite or any component is 3,\n   50-79        Type III                             4, or 5 rated: composite and all four\n                                by FFIEC work\n                                   programs          component ratings are reported in a\n                                                     separate IT report of examination.\n                                                   Composite and all four component\n   80-130       Type IV     FFIEC work programs ratings are reported in a separate IT\n                                                   report of examination.\nSource: FDIC Regional Directors Memorandum 2002-043 and FDIC Financial Institution Letter FIL-12-99.\n\n\n\n\n                                                    5\n\x0cThe Technology Profile category and total assets of all FDIC-supervised institutions as of\nDecember 31, 2003 are shown in the following tables.\n\nTable 2: Technology Profile Category of FDIC-Supervised Banks, December 31, 2003\n             Region          Type I    Type II Type III Type IV      Total Banks\nAtlanta                         370        60      236         22        688 (13%)\nChicago                         482       305      343         25      1,155 (22%)\nDallas (includes Memphis)       319       155      482         61      1,017 (19%)\nKansas City                     668       174      534         37      1,413 (26%)\nNew York (includes Boston)       98       128      366         41        633 (12%)\nSan Francisco                   198        26      162         31        417 ( 8%)\nTotal                         2,135       848    2,123       217       5,323\nPercentage of Institutions      40%       16%      40%         4%        100%\nSource: FDIC Division of Supervision and Consumer Protection, Information Systems Section.\n\nTable 3: Total Assets* of FDIC-Supervised Banks by Type, December 31, 2003\n           Region             Type I   Type II Type III Type IV        Total Assets\nAtlanta                      $ 76,730 $ 5,977 $ 55,909 $ 93,241 $ 231,857 (14%)\nChicago                        46,000    38,421   81,975    16,539     182,935 (11%)\nDallas (includes Memphis)      28,961    12,228   81,198     54,492    176,879 (11%)\nKansas City                    35,688     8,893    69,717    14,300    128,598 ( 8%)\nNew York (includes Boston)     38,285    62,577 279,952 239,595        620,409 (37%)\nSan Francisco                  32,210     1,644 113,215 175,492        322,561 (19%)\nTotal                        $257,874 $129,740 $681,966 $593,659 $1,663,239\nPercentage of Total Assets       15%        8%       41%       36%         100%\nSource: FDIC Division of Supervision and Consumer Protection, Information Systems Section.\n*Dollars in millions.\n\nFDIC IT Examiner Workforce and Training\n\nThe FDIC uses specially trained IT examiners to conduct IT examinations. In 1997, the FDIC\ndeveloped two programs to address IT: the Information Systems On-the-Job Training (IS-OJT)\nProgram and the Electronic Bank Subject Matter Experts (E-banking SMEs) Program.\nExaminers completing the IS-OJT program become part of a cadre of IT examiners available to\nparticipate in IT examinations of large, complex data centers as well as perform other IS-related\nassignments. Examiners completing the E-banking SME program are responsible for examining\ntechnical aspects of e-banking activities of financial institutions that permit transactions over\npublic networks. The examiners also conduct examinations of non-bank service providers that\ndevelop and support e-banking applications.\n\nIn December 2003, the IS-OJT program was revised to address increasingly complex networks,\nInternet connectivity, and emerging electronic banking activities such as Internet banking and\nelectronic cash systems and was renamed the Information Technology On-the-Job Training\n(IT-OJT) Program. The IT-OJT program is tiered to focus training on the graduated skill sets\nneeded to examine Type III and Type IV entities as well as other complex entities.\n\n\n\n\n                                                      6\n\x0cRESULTS OF AUDIT\n\nFDIC\xe2\x80\x99s IT examination program provides reasonable assurance that IT risks are being addressed\nby risk management programs in FDIC-supervised financial institutions. The program requires\nrisk-focused IT examinations, which seek to identify and gain an understanding of the inherent\nrisks present at each institution, evaluate the effectiveness of the bank\xe2\x80\x99s risk management and\ninternal control structures, and recommend improvements. FDIC IT examiners focused their\nexamination procedures on how well an institution manages and controls its high to moderate IT\nrisks, with less attention focused on how well an institution manages and controls low IT risks.\nConsistent with the FDIC\xe2\x80\x99s goals to reduce the overall burden on the financial institution through\nthe use of risk-focused examinations, not all control areas at the institution may be reviewed.\nNevertheless, the examination procedures adequately cover those controls needed for institutions\nto implement an effective information security program.\n\nWe did identify opportunities for improving the quality of the IT examination process based on\nour review of 21 IT examinations of banks with complex or sophisticated technology systems.\nSpecifically, the FDIC does not have a review process in place to determine whether appropriate\nexamination procedures are applied and that findings and conclusions are adequately supported.\nAlthough the FDIC has a quality review process in place for its safety and soundness\nexaminations, the FDIC has generally not conducted similar quality reviews for IT examinations.\nThe FDIC can improve the quality, efficiency, and effectiveness of its IT examinations by\ninstituting a standardized quality review of all phases of the IT examination process and\nsupporting documentation prior to issuance of IT examination results.\n\n\nQUALITY REVIEW PROCESS COULD IMPROVE INFORMATION\nTECHNOLOGY EXAMINATIONS\n\nOur review of IT examinations in 21 judgmentally selected institutions with complex or\nsophisticated technology systems found that more effective supervisory oversight would improve\nthe quality of IT examinations. The sample consisted of 10 Type IV and 11 Type III financial\ninstitutions as shown in Appendix II.\n\nTwelve of the IT examinations we reviewed were conducted in accordance with FDIC policies\nand procedures, and the corresponding reports of examination on each bank\xe2\x80\x99s information\ntechnology risk management program were adequately supported. Certain aspects of the\nremaining nine IT examinations, however, were not conducted in accordance with policy and\nprocedures as discussed below:\n\n   \xe2\x80\xa2   Incorrect Type of Examination Performed: For three institutions requiring Type IV\n       examinations, examiners performed less thorough Type III examinations. FDIC\xe2\x80\x99s\n       Technology Profile Script prepared by examiners prescribed a Type IV examination using\n       more thorough FFIEC work programs for these three banks. However, examiners used\n       FDIC\xe2\x80\x99s IT General Work Program, which provides for a more streamlined but less\n       thorough examination.\n\n\n\n\n                                                7\n\x0c    \xe2\x80\xa2   Outdated Work Programs Used: Five examinations were conducted using rescinded\n        information security-related sections of 1996 FFIEC work programs instead of the\n        December 2002 FFIEC Information Security work program. The changes had been\n        implemented by the FDIC in January 2003, and all five examinations were conducted\n        after that date.\n\n    \xe2\x80\xa2   Insufficient Support Provided: Three IT reports of examination were not adequately\n        supported. For one examination, most of the work program used to document IT security\n        work was blank, indicating that the work was not performed. For another examination,\n        only one page of the work program was retained in the examination work paper files.\n        Examiners also used an incorrect work program for this examination as discussed above.\n        Finally, for the remaining examination, the work program for physical and data security\n        was missing from the work paper files. Examiners also used an outdated work program\n        for this examination, as discussed above.\n\nIn addition, we noted that examination work papers that were not always properly labeled and\nsigned or initialed by the preparer.\n\nThese conditions were primarily due to a lack of management oversight during the planning and\nfield work phase of the IT examinations and a lack of supervisory review of the supporting IT\nwork papers. Because IT examiners have broad discretion and must exercise considerable\njudgment in planning, conducting, and drawing conclusions about an institution\xe2\x80\x99s IT risk\nmanagement program, periodic supervisory reviews during all phases of IT examinations by\nregional office IT specialists would be beneficial. Also, periodic quality assurance reviews\nwould ensure that IT examiners apply appropriate IT examination procedures, consistently\nexercise sound judgment, obtain sufficient information to identify weaknesses in an institution\xe2\x80\x99s\nrisk management program, and adequately document and support examination findings and\nconclusions.\n\nType of Examination Performed\n\nIn three Type IV institutions with extensive core processing, networking, and e-banking\nsystems,9 examiners performed Type III examinations which were less thorough examinations.\nAlthough the Technology Profile Script completed by examiners categorized all three institutions\nas Type IV institutions requiring Type IV examinations using FFIEC work programs, in each\ncase, examiners performed Type III examinations using the FDIC\xe2\x80\x99s IT General Work Program.\n\nAccording to FDIC\xe2\x80\x99s Regional Directors Memorandum (RD Memorandum) 2002-043, dated\nSeptember 30, 2002, examiners are required to use FFIEC work programs for all Type IV\ninstitutions. Examiners scored all three institutions in the Technology Profile Scripts as Type IV\n\n\n9\n Core processing includes loan, deposit, trust, or general ledger applications. Networking may be broadly defined\nas workstations, branches, servers, or other communications devices. Most institutions have some networking\ncapabilities. E-banking includes both informational and transactional Web sites. Other examples include\nmaintaining or developing internal systems with bank programming staff and providing data processing or Internet\nservices for others.\n\n\n\n                                                        8\n\x0cinstitutions. Each bank scored 80 or more, resulting in a Type IV profile requiring IT examiners\nto use FFIEC IT examination procedures.\n\n     \xe2\x80\xa2   In the case of one institution with $1.1 billion in assets, examiners indicated in the Pre-\n         Examination Planning Memorandum that a Type III review would be conducted using the\n         FDIC IT General Work Program. Performing a Type III review conflicts with guidelines\n         in the Technology Profile Script. Examiners did not document on the Technology Profile\n         Script the reason why a Type IV examination would not be performed.\n\n     \xe2\x80\xa2   For two other Type IV banks, IT examiners also performed Type III examinations using\n         the FDIC IT General Work Program. For one bank with $3.1 billion in assets, examiners\n         noted in the pre-planning memorandum that, \xe2\x80\x9cThe full FFIEC IS [information security\n         Type IV] work program will be used since the Bank services others for ACH [automated\n         clearing house].\xe2\x80\x9d Nevertheless, examiners used the FDIC IT General Work Program in\n         conducting the examination. For the other bank with $1.4 billion in assets, no qualitative\n         adjustments were recorded on the Technology Profile Script, and no pre-planning\n         memorandum was in the examination files to support using the IT General Work\n         Program rather than FFIEC work program.\n\nAccording to RD Memorandum 2002-043, a Field Supervisor or Senior Examiner may make\nqualitative adjustments to the Technology Profile Script score to address significant risks not\nincluded in the scoring model. The scoring matrix has a column for documenting such\nqualitative adjustments. Qualitative adjustment factors may include all questions in the Script\nthat were not directly scored as well as other areas not included in the Technology Profile Script.\nOnce the Technology Profile Type is determined, additional risk characteristics, such as asset\nsize, prior IT examination ratings, and prior examination scope should be considered before the\nfinal determination is made on the type of examination to be performed. While it is not clear\nfrom the RD Memorandum whether scores may be adjusted downward, for these three banks no\nadjustments were recorded in the Technology Profile Scripts to reduce the scores below 80.\n\n\nWork Programs Used\n\nFor five Type IV institutions that had extensive core processing, networking, and e-banking\nsystems, IT examiners used rescinded 1996 security-related work programs instead of the\nrequired 2002 security-related work programs implemented in January 2003. Examiners thought\nthe 2002 Information Security Booklet was not yet finalized and that they had the discretion to\nuse 1996 work programs. According to the Technology Profile Scripts, each of the five\ninstitutions scored 85 or more, resulting in a Type IV profile, and each IT examination began\nafter March 30, 2003. For one of the five institutions, IT examiners used the security-related\nsections of the 1996 FFIEC Community Financial Institution IS Examination Workprogram10 to\nreview the bank's information security. For the remaining four banks, examiners used the\n\n\n10\n  The 1996 FFIEC Community Financial Institution IS Examination Workprogram is applicable to small\ninstitutions using vendor supplied and supported software. Use of this program is predicated on the fact that there\nare no on-site systems and programming activity being performed by either bank staff or private consultants.\n\n\n\n                                                          9\n\x0csecurity-related sections of the 1996 FFIEC Information Systems Examination Handbook work\nprograms to review the banks\xe2\x80\x99 information security.\n\nOn January 31, 2003, the Associate Director of DSC\xe2\x80\x99s Technology Supervision Branch sent an\ne-mail to the Assistant Regional Directors (ARD) responsible for IT examinations that the\nFFIEC had issued new guidance and examination procedures regarding information security.\nSpecifically, the e-mail discussed the FFIEC\xe2\x80\x99s new Information Security Booklet, the first in a\nseries of booklets comprising the new FFIEC Information Technology Examination Handbook.\nThe Associate Director pointed out that the December 2002 booklet updates and rescinds the\nsecurity-related guidance in the 1996 FFIEC Information Systems Examination Handbook,\nincluding chapters 12 through 14. The e-mail stated that the remainder of the 1996 handbook\nwas still in effect and that examiners should use the work programs in the booklet in place of\nthose in the 1996 handbook for all examinations, beginning immediately.\n\nThe FDIC advised examiners and the financial institutions it regulates of the issuance of the new\nFFIEC guidance on information security through FIL-11-2003, New Information Security\nGuidance for Examiners and Financial Institutions, dated February 12, 2003. The FIL states\nthat on January 29, 2003, the FFIEC issued revised guidance for examiners and financial\ninstitutions to use in identifying information security risks and evaluating the adequacy of\ncontrols and applicable risk-management practices of financial institutions. The FIL stated that\nthe Information Security Booklet is the first in a series of updates to the 1996 FFIEC Information\nSystems Examination Handbook and that the updates will address significant changes in\ntechnology since 1996 and incorporate a risk-based examination approach.\n\nIn four Type IV institutions, the IT examiners used work programs from the 1996 handbook\ninstead of using the new 2002 examination procedures to assess the adequacy of information\nsecurity. Total assets at these banks ranged from $1.5 billion to $14.1 billion. In addition, for a\nfifth examination, an IT examiner used the security-related section of the 1996 FFIEC\nCommunity Financial Institution IS Examination Workprogram to review the information\nsecurity program at the bank. That workprogram included some questions in the new FDIC IT\nGeneral Work Program, which is prescribed for Type II and III institutions. The institution had\nassets of about $4.8 billion and used extensive core processing, networking, and other critical\nsystems.\n\nFDIC regional management advised us that it had addressed continued use of the 1996 FFIEC\nwork programs by a few IT examiners. In summary, FDIC management stated that although\nerrors in the process occurred, no substantive areas of the banks\xe2\x80\x99 IT systems were omitted from\nreview through the use of the 1996 work programs. According to FDIC, the security\nassessments did not lack in scope or depth, and the pertinent security risks were appropriately\nidentified.\n\nWe disagree with the position that Type IV examinations conducted using 1996 FFIEC work\nprograms for IT security-related work resulted in a complete review of the banks\xe2\x80\x99 information\nsecurity programs. According to the FFIEC, the new Information Security Booklet contains\nmore than four times the information in the security section of the 1996 Information Security\n\n\n\n\n                                                 10\n\x0cExamination Handbook; therefore, there is a potential to miss areas of significant supervisory\nconcern. For example, new or significantly increased information applies to the following areas:\n\n   \xe2\x80\xa2   Logical and Administrative Access Control\n   \xe2\x80\xa2   Physical Security\n   \xe2\x80\xa2   Encryption\n   \xe2\x80\xa2   Malicious Code\n   \xe2\x80\xa2   Systems Development, Acquisition, and Maintenance\n   \xe2\x80\xa2   Software Development and Acquisition\n   \xe2\x80\xa2   Host and User Equipment Acquisition and Maintenance\n   \xe2\x80\xa2   Personnel Security\n   \xe2\x80\xa2   Electronic and Paper-based Media Handling\n   \xe2\x80\xa2   Logging and Data Collection\n   \xe2\x80\xa2   Service Provider Oversight\n   \xe2\x80\xa2   Intrusion Detection and Response\n   \xe2\x80\xa2   Business Continuity Considerations\n   \xe2\x80\xa2   Insurance\n\nMany of the procedures used to review these areas are intended to be performed during in-depth\nreviews of IT security rather than during the basic risk analysis. Consequently, review of the\nareas listed above was not performed in five of the seven Type IV banks in our sample that had\nType IV examinations. The areas were considered by examiners to be outside the scope of the\nbasic risk analyses performed for the five banks. Only one Type IV examination in the Dallas\nRegion and one in the New York Region used the in-depth verification procedures to review IT\nsecurity. The expanded examination steps are also referred to as Tier 2 procedures. For the\nremaining five examinations, examiners performed procedures designed to provide an overview\nof risk and risk management processes, referred to as Tier 1 procedures. We found that there are\nno criteria or standards to prompt examiners to perform Tier 2 in-depth review procedures.\n\nEvidence to Support the Report of Examination\n\nThree IT reports of examination were not sufficiently supported because documentation of\nexaminers\xe2\x80\x99 reviews was either incomplete or missing. In addition, examiners who prepared\nmany of the work papers did not date, initial, or sign them or show the name of the institution\nand its location.\n\nAccording to RD Memorandum 2001-039, Guidelines for Examination Work Papers and\nDiscretionary Use of Examination Documentation Modules, dated September 25, 2001, the\npreparation of examination work papers is an important part of documenting the examination\nprocess and supporting examination conclusions. All work papers should be labeled with the\ninstitution\xe2\x80\x99s name and location and should be dated and signed or initialed by the examiner who\nprepared the document. Examination findings should be documented through a combination of\nbrief summaries, bank source documents, report comments, and other examination work papers\nthat address both management practices and condition. Examination documentation should\ndemonstrate a clear trail of decisions and supporting logic. Documentation should identify\nexamination and verification procedures performed and conclusions reached and should support\n\n\n\n\n                                                11\n\x0cthe assertions of fact or opinion in the financial schedules and narrative comments in the reports\nof examination. Examiners should prepare a \xe2\x80\x9cSummary Statement,\xe2\x80\x9d which includes at a\nminimum:\n\n     \xe2\x80\xa2   a summation of the documentation relied upon during the review;\n\n     \xe2\x80\xa2   the procedures used and analyses conducted to support conclusions relative to the\n         assigned CAMELS components, Bank Secrecy Act11 examination findings, and other\n         significant areas of review; and\n\n     \xe2\x80\xa2   material discussions with management.\n\nIT General Work Program\n\nFor one institution with assets valued at $2.6 billion, the IT General Work Program was\ngenerally blank, and exceptions noted in the report of examination were not always supported or\ndetailed in either the work program or other examiner work papers. Although the work papers\ncontained numerous internal audit reports, internal bank meeting minutes, and bank policies and\nprocedures, there was no evidence of review (margin notes, highlighting, etc.) of any of these\nitems. Most of the questions in the IT General Work Program were not completed. For\nexample, all eight work program questions were answered in the institution\xe2\x80\x99s Audits section.\nHowever, for the Management section, only half of the 18 questions were answered; for the\nDevelopment and Acquisition section, none of the 4 questions were answered; and for the\nSupport and Delivery section, only 8 of 37 questions were answered. Overall, 25 (37 percent) of\n67 work program questions were answered. The examiner appeared to have relied heavily on the\ninstitution\xe2\x80\x99s contracted internal auditor\xe2\x80\x99s reports, risk scoping procedures, and review of the\nquestionnaire completed by bank personnel.\n\nBased on our review of the IT General Work Program and documentation contained in the field\noffice IT work papers, we found two areas where the IT examiner(s) did not sufficiently\ndocument their review of the IT area or support their IT exceptions:\n\n     \xe2\x80\xa2   The embedded IT examination report contained the exception: \xe2\x80\x9cThe scope of the internal\n         audit is adequate but the frequency of audits is not adequate.\xe2\x80\x9d Our review of the\n         examination work papers and work program revealed no write-ups or examiner analysis\n         of the frequency of the bank\xe2\x80\x99s internal audit program. Instead, a notation on the work\n         program discussed the bank\xe2\x80\x99s outsourcing of the internal audit function. There was no\n         indication in the work papers or work program of how the examiner determined that the\n         frequency was not adequate.\n\n\n\n11\n  The Bank Secrecy Act of 1970, Public Law 91-508, codified to 31 U.S.C. Section 5311 et seq., requires financial\ninstitutions to maintain appropriate records and to file certain reports that are used in criminal, tax, or regulatory\ninvestigations or proceedings. Congress enacted the BSA to prevent banks and other financial service providers\nfrom being used as intermediaries for, or to hide the transfer or deposit of, money derived from criminal activity.\n\n\n\n\n                                                          12\n\x0c   \xe2\x80\xa2   The report also contained the exception: \xe2\x80\x9cThere is no independent third party review of\n       disaster recovery testing.\xe2\x80\x9d Our review of the examination work papers and work program\n       indicated that the examiner noted \xe2\x80\x9c5 backup servers\xe2\x80\x9d and that the \xe2\x80\x9c[Bank] uses a\n       contractor for offsite storage of daily backups of four of the five servers.\xe2\x80\x9d The work\n       program and work papers contained no write-ups, notations, or analysis to support\n       criticism of an independent third party review of disaster recovery testing.\n\nIn response to our inquiries about the reason the examiner performed only 37 percent of the IT\nGeneral Work Program and relied more upon the work of others, the responsible Field\nSupervisor intends to institute an IT work paper review program at the field office level to\nprevent future discrepancies of this type.\n\nIT Examination Work Papers\n\nWork papers were missing for two institutions. For one institution with $1.1 billion in assets,\nmost of the IT General Work Program was missing from the work papers. Only one page\ncontaining three questions from different sections of the work program was included in the\nexamination workpapers.\n\nRegional management told us that the Examiner-in-Charge (EIC) had experienced computer\nproblems during the completion of the examination that resulted in the loss of all data, including\nthe examination report. This ultimately resulted in the EIC having to reconstruct the report.\nElectronic work paper data files were also lost. Although the IT General Work Program was\nmissing except for the one page, the other work papers were extensive, including summaries,\nwrite-ups, and documents gathered and reviewed. A memorandum, dated May 9, 2003, was\nprepared for the regional office Report and Correspondence files by a regional office IT\nspecialist, explaining the delayed processing of the report and lost electronic work papers due to\nthe computer problems.\n\nIn response to our inquiries about the missing IT General Work Program and computerized work\npaper failure, the responsible Field Supervisor intended to institute an IT work paper review\nprogram as discussed earlier.\n\nFor one institution with $12 billion in assets, the physical and data security work program used\nto support the assessment and evaluation of the institution\xe2\x80\x99s information security was missing.\nSpecifically, the examiners used the 1996 FFIEC work programs in their examination, and\nwithin those work papers, reference was made to the use of the 1996 FFIEC Security -- Physical\nand Data Workprogram and associated work papers. However, these work papers were not\namong the regional and field office work papers provided. Other work programs included\ndocumentation of risk scoping and work performed, including review of documents and\ncompleted FFIEC work programs for each area reviewed. In response to our inquiries about the\nmissing work papers, a Regional IT Specialist made inquiries to determine the whereabouts of\nthe work papers but did not locate them.\n\nThe errors found in our sample could have been prevented by management oversight during the\nplanning and field work phases of the IT examination and supervisory review of supporting work\n\n\n\n\n                                                13\n\x0cpapers. Because IT examiners have broad discretion and must exercise considerable judgment in\nplanning, conducting, and drawing conclusions about an institution\xe2\x80\x99s IT risk management\nprogram, periodic reviews by regional office IT specialists during all phases of IT examinations\nwould help to improve the quality of IT examinations.\n\nRecommendation\n\nWe recommend that the Director, DSC, institute a quality review process for all phases of IT\nexaminations including planning, field work, supporting documentation, and reporting, to ensure\nthat IT examiners:\n\n   \xe2\x80\xa2   consistently exercise sound judgment;\n   \xe2\x80\xa2   apply the appropriate IT examination procedures;\n   \xe2\x80\xa2   expand examination procedures when warranted;\n   \xe2\x80\xa2   perform and document adequate work to support IT examination findings, conclusions,\n       and ratings; and\n   \xe2\x80\xa2   initial or sign and date the work papers and label them with the institution\xe2\x80\x99s name and\n       location.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn June 4, 2004, the DSC Director provided a written response to the draft report. The response\nis presented in its entirety in Appendix V to this report. DSC generally concurred with the\nreport\xe2\x80\x99s findings and agreed that the IT review process could be enhanced. DSC provided an\naction plan in its response to the OIG recommendation that will enhance its quality review\nprocess for the regional and field offices.\n\n\nField Office: Review of Pre-Examination Planning Memorandum\n\nTo ensure that examiners are performing the correct type of IT examination and using the correct\nIT work program, DSC will assess and revise as necessary the instructions for the IT pre-\nexamination planning (PEP) memoranda, or in the case of embedded examinations, the safety\nand soundness PEP, to include the following items: type of examination planned, Technology\nProfile Script score, and the intended work program to be used. The PEP will reconcile any\ndifference between the type of examination and the Technology Profile Script score. Thus, the\nPEP will provide a vehicle for supervisory personnel to review and approve major IT\nexamination decisions. The PEP will serve as a quality control measure at the beginning of the\nIT examination process. DSC will assess, revise, and issue, as necessary the instructions for the\nappropriate PEP memoranda by December 31, 2004.\n\nRegional Office: Review of IT Examination Work\n\nCurrently, DSC\xe2\x80\x99s regional offices have field office audit procedures that are administered by\nregional office staff to verify that work programs are properly completed and findings are\nadequately supported and documented. These programs commonly include reviews of IT\n\n\n\n                                                14\n\x0cexamination work papers and generally address the five items that we recommended be\naddressed in the quality review procedures.\n\nTo help strengthen this program, the DSC is standardizing a field office review program to\nensure examination program conformance with FDIC policies and to apply the appropriate\nemphasis on areas reviewed. The standardized field office review program will incorporate the\nitems we suggested be addressed. The review program will also include periodic sampling of IT\nexamination work papers and a review of examination processing that will provide a quality\ncontrol measure at the completion of the IT examination process. DSC will implement\nenhancements by March 31, 2005.\n\nDSC\xe2\x80\x99s response to the draft report meets the intent of the recommendation. Accordingly, the\nrecommendation is resolved but will remain undispositioned and open until we have determined\nthat the agreed-to corrective actions have been implemented and are effective.\n\n\n\n\n                                              15\n\x0c                                                                                  APPENDIX I\n\n\n\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine whether DSC\xe2\x80\x99s examinations provide reasonable\nassurance that IT risks are being addressed by the risk management programs in FDIC-\nsupervised financial institutions. The audit field work was performed at DSC regional offices in\nDallas, Texas, and New York, New York. We performed our audit from October 2003 through\nApril 2004 and in accordance with generally accepted government auditing standards. We\nfocused our work primarily on IT examinations in banks with complex or sophisticated\ntechnology systems and more than $1 billion in assets. To accomplish the audit objective, we\ndid the following.\n\n   \xe2\x80\xa2   Reviewed four IT examination files \xe2\x80\x93 one of each technology profile category type \xe2\x80\x93 from\n       FDIC\xe2\x80\x99s Chicago region to determine the general content and organization of the files.\n\n   \xe2\x80\xa2   Reviewed a copy of DSC\xe2\x80\x99s Information Technology Risk Monitoring Interim Database\n       (ITRMID), a system for collecting technology risk profiles for each FDIC-supervised\n       financial institution and technology service provider.\n\n   \xe2\x80\xa2   Interviewed officials at DSC\xe2\x80\x99s Washington, D.C., headquarters office and the Chicago,\n       Dallas, and New York regional offices.\n\n   \xe2\x80\xa2   Obtained and reviewed a sample of 21 IT examinations performed in the Dallas and New\n       York regions, including reports of examination and supporting documentation.\n\n   \xe2\x80\xa2   Obtained and reviewed various bank examination data from FDIC\xe2\x80\x99s Virtual Supervisory\n       Information On the Net (ViSION) system.\n\n   \xe2\x80\xa2   Reviewed DSC RD Memoranda, FILs, and operating manuals and policies pertaining to\n       the safety and soundness and IT examination processes.\n\n   \xe2\x80\xa2   Obtained and reviewed FFIEC guidelines and work programs relating to IT examinations.\n\nReliance on Computer-Generated Data\n\nWe relied on some computer-generated data pertaining to reports of examination from the\nInteragency Examination Repository, bank information from ViSION, and IT examination data\nfrom the ITRMID. We performed limited tests to determine the reliability of the data and found\nno reason to expand testing.\n\n\nManagement Controls\n\nOur review of the management controls for the examinations we sampled identified several\ncontrol weaknesses that are discussed in the finding section of this report.\n\n\n\n\n                                               16\n\x0c                                                                                  APPENDIX I\n\n\nPrior Audit Coverage\n\nThe U.S. General Accounting Office (GAO), issued Electronic Banking: Enhancing Federal\nOversight of Internet Banking Activities, GAO/GGD-99-91, on July 6, 1999. The GAO found\nthat some regulators had been more proactive than others in examining Internet banking. GAO\nalso found that the FDIC had completed the most examinations of on-line banking operations at\nthat time and that the Office of Thrift Supervision and the FDIC had been actively issuing\npolicies and procedures for Internet banking examinations. However, GAO concluded that too\nfew examinations had been conducted at that time to identify the extent of industry-wide Internet\nbanking-related problems.\n\nLaws and Regulations\n\nAppendix C of the FFIEC\xe2\x80\x99s December 2002 Information Security Booklet identifies laws and\nregulations issued by federal banking regulatory agencies that are currently applicable to IT\nsecurity. These include the following:\n\n\xe2\x80\xa2   Laws\n\n    o   12 U.S.C. 1867(c): Bank Service Company Act\n    o   12 U.S.C. 1882: Bank Protection Act\n    o   15 U.S.C. 6801 and 6805(b): Gramm\xe2\x80\x93Leach\xe2\x80\x93Bliley Act\n    o   18 U.S.C. 1030: Fraud and Related Activity in Connection with Computers\n\n\xe2\x80\xa2   FDIC Regulations\n\n    Title 12 of the Code of Federal Regulations (12 C.F.R.), Banks and Banking\n\n    o   12 C.F.R. Part 326, Subpart A: Minimum Security Procedures\n    o   12 C.F.R. Part 326, Subpart B: Procedures for Monitoring Bank Secrecy Act\n                            Compliance\n    o   12 C.F.R. Part 332, Privacy of Consumer Financial Information\n    o   12 C.F.R. Part 353, Suspicious Activity Reports\n    o   12 C.F.R. Part 364, Appendix A: Interagency Guidelines Establishing Standards for\n                            Safety and Soundness\n    o   12 C.F.R. Part 364, Appendix B: Interagency Guidelines Establishing Standards for\n                            Safeguarding Customer Information\n\nWe did not test for compliance with these laws and regulations as they were beyond the scope of\nthis audit.\n\n\n\n\n                                               17\n\x0c                                                                                     APPENDIX I\n\n\nGovernment Performance and Results Act\n\nWe reviewed DSC\xe2\x80\x99s performance measures under the Government Performance and Results Act\n(GPRA), Public Law 103-62. We determined that the FDIC did not have a corporate\nperformance objective specifically related to the IT examinations. However, according to the\nFDIC\xe2\x80\x99s 2003 Annual Performance Plan, and as shown in Table 4, the FDIC established the\nfollowing strategic goal, objective, and annual performance goal that include a review of\ninformation technology as part of the FDIC\xe2\x80\x99s overall assessment of risk management and safety\nand soundness. The means and strategies the FDIC uses to achieve this strategic goal include\ninformation technology examinations in general.\n\nTable 4: Performance Measures Related to Supervision and Examination\n Strategic     Strategic\n    Goal       Objective      Annual Performance Goal           Means and Strategies\n                           Conduct on-site safety and       Both on-site safety and\n                           soundness examinations to assess soundness and IT\nFDIC-        FDIC-\n                           an FDIC-supervised insured       examinations cover\nsupervised supervised\n                           depository institution\xe2\x80\x99s overall technology-related activities\ninstitutions institutions\n                           financial condition, management to determine how each FDIC-\nare safe and appropriately\n                           practices and policies, and      supervised insured depository\nsound.       manage risk.\n                           compliance with applicable       institution manages risk in\n                           regulations.                     that area.\nSource: The FDIC\xe2\x80\x99s 2003 Annual Performance Plan.\n\n\n\nFraud and Illegal Acts\n\nThe limited nature of the audit objective did not require that we assess the possibility for fraud\nand illegal acts. However, throughout the audit we were alert to the possibility of fraud and\nillegal acts, and no instances came to our attention.\n\n\n\n\n                                                   18\n\x0c                                                                                              APPENDIX II\n\n\n                                  SUMMARY TABLE OF RESULTS\n                     TPS*      Exam\n         Assets      Score/    Type/     Date of    Exam      No Audit         Incorrect   Outdated   Lacking\nBank    (billions)    Type     Tier**     Exam      Hours     Exception        Program     Program    Support\n A        $ 9.9       75/III   IV/1      01.13.03    227        9-a\n B            5.5     65/III     III     02.10.03     90        9\n C            0.1     50/III     III     06.09.03    127        9\n D           10.8     75/III     III     06.09.03     70        9\n E            0.8     65/III     III     06.16.03    263        9\n F            6.2     65/III    III/2    06.16.03    111        9\n G            3.0     55/III     III     08.04.03    173        9\n H            7.1     70/III     III     08.04.03     69        9\n  I           0.1     50/III    III/2    08.04.03     68        9\n J            8.9     50/III     III     11.10.03    196        9\n K           19.8    105/IV     IV/2     04.16.03    260        9-b\n L            3.1     85/IV     IV/2     07.28.03    378        9-b\n M            2.6     65/III     III     07.14.03    256                                               9-f\n N            1.1     80/IV      III     02.18.03    412                         9-c                   9-g\n O            3.1    100/IV      III     09.29.03    238                         9-c\n P            1.4     85/IV      III     10.27.03    135                         9-c\n Q           12.0     95/IV     IV/1     03.31.03    200                                    9-d        9-h\n R           14.1    100/IV     IV/1     04.07.03    168                                    9-d\n S            4.0     85/IV     IV/1     08.11.03    128                                    9-d\n T            1.5     90/IV     IV/1     10.20.03    140                                    9-d\n U            4.8     85/IV     IV/1     11.03.03     85                                    9-e\nTotal    $ 119.9                                                  12              3          5          3\nSource: OIG analysis of 21 sampled IT examinations of FDIC-supervised banks.\n\n * \xe2\x80\x93 Technology Profile Script, discussed in Appendix IV.\n** \xe2\x80\x93 Tier 1 examination procedures are an overview of risk and risk management processes, while Tier 2\n     procedures are more in-depth verification procedures.\n\nNotes\n\na \xe2\x80\x93 Examination was started before the new December 2002 FFIEC Information Security work program was\n    implemented. Examiners used 1996 FFIEC Information Systems work programs.\nb \xe2\x80\x93 Examiners used the new December 2002 FFIEC Information Security work program.\nc \xe2\x80\x93 Examiners performed less thorough Type III examinations rather than the required Type IV\n    examinations.\nd \xe2\x80\x93 Examiners used outdated 1996 FFIEC Information Systems work programs rather than the required 2002\n    FFIEC Information Security work program.\ne \xe2\x80\x93 Examiner used the FFIEC Community Financial Institution Examination Networking and Data Security\n    Workprogram (Section 5) instead of the new 2002 FFIEC Information Security work program.\nf \xe2\x80\x93 Most (63 percent) questions and work steps in the IT General Work Program either were not answered or\n    were not completed.\ng \xe2\x80\x93 Only one page of IT General Work Program was in the examination work paper files.\nh \xe2\x80\x93 Missing Physical and Data Security work program. Reference is made to it within other work programs.\n\n\n\n\n                                                       19\n\x0c                                                                                  APPENDIX III\n\n\n          UNIFORM RATING SYSTEM FOR INFORMATION TECHNOLOGY\n\nThe Uniform Rating System for Information Technology (URSIT) is based on a risk evaluation\nof four critical components: Audit, Management, Development and Acquisition, and Support\nand Delivery. These components are used to assess the overall performance of IT within an\norganization. Examiners evaluate the functions identified within each component to assess the\ninstitution's ability to identify, measure, monitor, and control information technology risks. Each\nexamined organization is assigned a summary or composite rating based on the overall results of\nthe evaluation. The IT composite rating and each component rating are based on a scale of 1\nthrough 5 in ascending order of supervisory concern with 1 representing the highest rating and\nleast degree of concern and 5 representing the lowest rating and highest degree of concern.\nThese components address the following:\n\n   \xe2\x80\xa2   Audit \xe2\x80\x93 This rating should reflect the adequacy of the organization's overall IT audit\n       program, including the internal and external auditor's abilities to detect and report\n       significant risks to management and the board of directors on a timely basis. The rating\n       should also reflect the internal and external auditor's capability to promote a safe, sound,\n       and effective operation.\n\n   \xe2\x80\xa2   Management \xe2\x80\x93 This rating should reflect the board's and management's ability as it\n       applies to all aspects of IT operations, that is, to all aspects of IT acquisition,\n       development, and operations.\n\n   \xe2\x80\xa2   Development and Acquisition \xe2\x80\x93 This rating reflects an organization's ability to identify,\n       acquire, install, and maintain appropriate IT solutions and the adequacy of the institution's\n       systems development methodology and related risk management practices for acquisition\n       and deployment of information technology. The rating also reflects the board\xe2\x80\x99s and\n       management's ability to enhance and replace IT prudently in a controlled environment.\n\n   \xe2\x80\xa2   Support and Delivery \xe2\x80\x93 This rating reflects an organization's ability to provide\n       technology services in a secure environment. The rating reflects not only the condition of\n       IT operations but also factors such as reliability, security, and integrity, which may affect\n       the quality of the information delivery system.\n\nInstitutions receive URSIT ratings in accordance with the following guidelines:\n\n   \xe2\x80\xa2   Financial institutions exposed to a very low level of technology risk (those for which IT-\n       MERIT examination procedures were used) are assigned only a composite URSIT rating\n       in a safety and soundness report of examination.\n\n   \xe2\x80\xa2   Financial institutions exposed to low to moderate technology risk that receive a 1 or 2\n       URSIT composite rating at current IT examinations will be assigned only a composite\n       URSIT rating in a safety and soundness report of examination.\n\n   \xe2\x80\xa2   Financial institutions exposed to low to moderate technology risk with any component\n       URSIT rating of 3, 4, or 5 or a composite rating of 3, 4, or 5 at the current IT examination\n\n\n\n                                                20\n\x0c                                                                               APPENDIX III\n\n    will be assigned a full URSIT rating \xe2\x80\x93 a rating for each of the four critical components and\n    a composite rating \xe2\x80\x93 in a separate IT report of examination.\n\n\xe2\x80\xa2   Financial institutions exposed to a high level of technology risk will be assigned a full\n    URSIT rating in a separate IT report of examination.\n\n\n\n\n                                             21\n\x0c                                                                                    APPENDIX IV\n\n\n                              TECHNOLOGY PROFILE SCRIPT\n\nThe Technology Profile Script is a series of questions completed by FDIC Field Supervisors or\ntheir designees no more than 3 months before each IT examination. The questions are generally\nanswered by contacting the financial institution but can be completed based on information\nobtained from prior IT examination reports or from FDIC databases. Examiners use the answers\nfrom the profile script to complete a scoring matrix included as part of the profile script. Each\ntechnology component used by the institution contributes to the overall matrix score. The Field\nSupervisor or Supervisory Examiner may also make qualitative adjustments to the numeric\nscores to address risks that may not be evident in the Technology Profile Script.\n\nThe profile script is designed to be a standardized basic measurement of the complexity and risk\nof the technology deployed at a financial institution. The profile script can be used as a guide to\nassist examiners and managers in planning IT examinations by identifying key risk areas to\nreview, the level and scope of review needed, and required examination procedures. The profile\nscript can also be used to allocate examination resources and match examiner skills to the\ncomplexity of the institution or determine training needs.\n\nThe matrix score and other qualitative criteria are used to classify an institution\xe2\x80\x99s technology\nprofile. Based on the matrix score, institutions are grouped into one of four technology profile\ncategories. These range from Type I institutions that have limited technology systems to\nType IV institutions that have complex or sophisticated technology systems. An institution\xe2\x80\x99s\ntechnology profile category, or type, is the key factor to determine the examination procedures to\nbe used, such as whether the institution qualifies for IT-MERIT Procedures, the IT General Work\nProgram, or FFIEC work programs. Table 5 quantifies the numerical ranges for determining the\ntechnology profile category and required examination procedures to be used at each financial\ninstitution being evaluated.\n\nTable 5: Technology Profile Scoring Matrix\n  Technology Profile          Technology\n Matrix Score Range         Profile Category                   Required Work Program\n         0-49                    Type I                          IT-MERIT Procedures\n         0-49                    Type II                       IT General Work Program\n                                                               IT General Work Program\n          50-79                      Type III\n                                                         supplemented by FFIEC work programs\n         80-130                      Type IV                     FFIEC work programs\nSource: FDIC Regional Directors Memorandum 2002-043.\n\n\n\nType I and Type II financial institutions have similar technology profile characteristics and fall\nwithin the same matrix score range. Type I differs from Type II in that Type I institutions have\nsatisfactory ratings and do not conduct in-house programming or processing of core applications\nfor other institutions. Type II institutions are those with less than satisfactory ratings (i.e., any\ncomponent or composite URSIT rating of 3, 4, or 5 at the prior or current IT examination,\nincluding state regulatory authority examinations accepted by the FDIC) and those that conduct\n\n\n\n\n                                                 22\n\x0c                                                                                  APPENDIX IV\n\nin-house programming or perform core processing services for other insured financial\ninstitutions. Characteristics of each technology profile category are shown below.\n\n\xe2\x80\xa2   Type I financial institutions have limited networking and e-Banking activities and do not\n    conduct in-house programming or perform core processing services for other insured\n    institutions. Institutions in this category have minimal external threats with primary risks\n    centered on the core banking system or vendor management. Examiners will use IT-MERIT\n    procedures exclusively for all Type I institutions.\n\n\xe2\x80\xa2   Type II financial institutions have limited networking and e-Banking activities and usually do\n    not conduct in-house programming or servicing of other institutions. Institutions in this\n    category have minimal external threats with primary risks centered on the core banking\n    system or vendor management. Examiners will use the IT General Work Program for all\n    Type II institutions.\n\n\xe2\x80\xa2   Type III financial institutions have fully integrated networking into their operations.\n    Institutions in this category have increased external threats from e-Banking activities and\n    Internet connections or have increased operational risks from limited programming activities\n    or servicing responsibilities. Examiners will use the IT General Work Program,\n    supplemented with FFIEC work programs as needed, for Type III institutions.\n\n\xe2\x80\xa2   Type IV financial institutions rely on networks and other communication systems as a critical\n    element of their operations. Networking among business clients and partners is common,\n    and Internet connectivity may be relied upon as a critical communications medium. As a\n    result of Internet and other wide-area network connections, risk of compromise or access to\n    critical systems from external sources is present. The complexity of the technology increases\n    system administration and security risks. Examiners will use the FFIEC work programs for\n    all Type IV institutions\n\n\n\n\n                                                23\n\x0c                       APPENDIX VI\n\n\n\nCORPORATION COMMENTS\n\x0c     APPENDIX V\n\n\n\n\n25\n\x0c                                                                                                                                              APPENDIX VI\n\n                                              MANAGEMENT RESPONSE TO RECOMMENDATIONS\n     This table presents the management response that has been made on the recommendation in our report and the status of the\n     recommendation as of the date of report issuance. The information in this table is based on management\xe2\x80\x99s written response to our report.\n\n\n          Rec.                                                                                                                                              Open\n         Number    Corrective Action: Taken or                         Expected                  Monetary          Resolved:a       Dispositioned:b          or\n                   Planned/Status                                  Completion Date               Benefits          Yes or No          Yes or No            Closedc\n           1       DSC will assess and revise as                   December 31, 2004               N/A                Yes                No                 Open\n                   necessary the instructions for the IT\n                   pre-examination planning\n                   memoranda to include type of\n                   examination planned, Technology\n                   Profile Script score, and the intended\n                   work program to be used.\n\n                   DSC is standardizing a field office               March 31, 2005\n26\n\n\n\n\n                   review program to ensure\n                   examination program conformance\n                   with FDIC policies and to apply the\n                   appropriate emphasis on areas\n                   reviewed. The review program will\n                   include periodic sampling of\n                   examination work papers and a\n                   review of examination processing.\n     a\n       Resolved \xe2\x80\x93 (1) Management concurs with the recommendation and the planned corrective action is consistent with the recommendation.\n                  (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                  (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                      as management provides an amount.\n     b\n       Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved\n     through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\n     recommendation.\n     c\n       Once the OIG dispositions the recommendation, it can then be closed.\n\x0c"